Risk Management 20 Years on

The past is a foreign country; they do things differently there’ according to L. P. Hartley, ‘ (The Go-Between, 1953).

As Project Manager Today celebrates its twentieth anniversary of serving the project management community this month, it seems a good time to look back over how risk management has changed in the past two decades. Of course people have always managed risk, right from the time the first caveman sharpened his stick before setting out to catch his mammoth supper. In fact the history of risk management can be traced back to the earliest civilisations, as documented in the groundbreaking book Against the Gods by the late Peter Bernstein. But what has happened more recently?

Most readers of Project Manager Today will have started managing projects in the past twenty years or so. So, how has risk management developed in that time, and are we doing it any better now than our project management predecessors or ancient ancestors? I first heard the word risk in a project context in 1985, when I was a junior project manager in a leading UK engineering company working in the defence sector. Around this time the UK Ministry of Defence issued instructions that all defence programmes must use a formal approach to risk management, and my project was chosen to pilot this new development in our company. [This was the first step on the journey that led to the emergence of the Risk Doctor, but that’s another story]

Our first attempts at risk management were very limited, and drew heavily on the work of Professor Chris Chapman in the North Sea oil sector, supported by one of the first UK risk consultancies (EuroLog). This led to an early emphasis on quantitative risk analysis as a means of evaluating the overall effect of identified risks on project duration or total cost, based on a robust Risk Register that captured a wide set of risks to the project. Like others in the defence sector, we did risk management because we were told to by our major client, but we really found it helpful in spotting potential problems sufficiently in advance to be able to manage them. By 1990 we were convinced that managing risk effectively was a major contributor to successful projects, and we did it because it worked.

Looking back at those early days and comparing with how risk is managed on projects today, there are some clear differences, and a few things that remain depressingly the same. One major improvement has been the software tools that are now available to support the risk process. I wrote my first Risk Register programme using dBase III in the days before desktop computers, and I had to construct a detailed text file containing quantitative risk analysis input data which was telexed to a bureau running Monte Carlo simulations using Promap V on a water-cooled mainframe in Houston!

Today’s risk tools are cheap, fast and reliable, with powerful functionality and great user interfaces. Another key difference has been in the scope of the project risk process. In the early days we were only interested in threats to project time and cost.

Now it is common for the risk process to be used to identify opportunities alongside threats, and impacts are assessed against other project objectives as well as the project schedule and budget. A much more integrated approach is used, particularly in the way quantitative risk analysis is performed within the risk process – in the old days it was done separately, in isolation from the qualitative assessment recorded in Risk Registers, but now we recognise the importance of aligning both qualitative and quantitative risk analyses.

Finally on the difference front, risk management has become much more common, with wider application across all types and sizes of projects in all industries. The emergence of consensus on risk concepts, terminology, methodology, techniques and processes has encouraged the view that managing risk is a natural part of project management, and many more people are doing it, at least to some degree.

Unfortunately however, some things have not changed much from the early days twenty years ago, despite great improvements in tools, techniques and processes. These unwelcome similarities mostly relate to the culture surrounding risk management in today’s project environment. For example it is still all too common to find project teams who are merely going through the motions, ‘doing risk management’ instead of actually managing risk.

They follow their risk procedures by rote because it is required by the quality system or by a client contract, but they show no commitment to action and no understanding that managing risk is supposed to add value to the project. Instead risk management is seen as additional cost, an optional extra, and a necessary evil to be endured and got through as quickly as possible. This is often reinforced by senior management who tend to view risk management as a technical function done by engineers, with no relevance to the business case or the value, which the project is intended to deliver.

Even worse is when risk management is seen as a separate discipline, which is performed by risk experts, and not integrated into the overall management of the project. So looking back over the past twenty years of risk management on projects, considerable progress has been made in some areas, notably the technical aspects of the discipline. But there’s still some way to go before risk management is seen to deliver on its full promise as a major contributor to project and business success. Perhaps when Project Manager Today is celebrating its fiftieth birthday the story may be different – let’s hope so.